Pass the Cisco CCNP Security 350-701 Questions and answers with ValidTests

Explanation

Explanation

There are three basic categories of attack:

+ volume-based attacks, which use high traffic to inundate the network bandwidth

+ protocol attacks, which focus on exploiting server resources

+ application attacks, which focus on web applications and are considered the most sophisticated and serious type of attacks Reference: https://www.esecurityplanet.com/networks/types-of-ddos-attacks/

To force a session to be adjusted after a policy change is made, two configurations are required on Cisco ISE and on Cisco TrustSec devices: Dynamic Authorization and Change of Authorization (CoA). Dynamic Authorization allows Cisco ISE to send commands to network devices to change the authorization status of a user session. CoA is a feature that enables Cisco ISE to send a RADIUS message to a network device to reauthenticate or disconnect a user session. These two configurations enable Cisco ISE to apply the updated policy to the user session without requiring the user to log out and log in again.

According to the source book, the steps to configure Dynamic Authorization and CoA are as follows1:

On Cisco ISE, navigate to Administration > Network Resources > Network Devices and select the network device that supports TrustSec.

On the Edit Network Device page, select the Advanced TrustSec Settings tab and check the Support for CoA check box.

On the same tab, select the appropriate CoA type from the drop-down list. The options are RADIUS Disconnect, Port Bounce, and Reauth.

Click Submit to save the changes.

On the network device, enter the global configuration mode and issue the command aaa server radius dynamic-author to enable Dynamic Authorization.

Optionally, you can specify the source interface, authentication key, and port number for the Dynamic Authorization messages.

Exit the global configuration mode and save the configuration.

 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Secure Connectivity, Lesson 4.2: Implementing TrustSec, Topic 4.2.3: Configuring TrustSec on Cisco ISE and Network Devices, pp. 4-83 to 4-85.

The Cisco DNA Center API provides the ability to program and monitor networks from somewhere other than the DNAC GUI. The API is a set of RESTful web services that allow users to interact with Cisco DNA Center programmatically. The API can be used to automate tasks, integrate with third-party applications, or create custom applications. The API exposes the same functionality as the DNAC GUI, such as design, provision, policy, assurance, and platform1. The API also provides documentation, examples, and testing tools for each API call1. References :=

Cisco DNA Center User Guide, Release 2.3.3

Cisco DNA Center User Guide, Release 2.2.2

DNAC Tour Part 1: Introduction to Cisco DNA Center

Cisco DNA Center Platform User Guide, Release 2.2.2

A destination list is a list of internet destinations: domains, URLs, and CIDRs. To control identity access to specific destinations, you can add destination lists to Umbrella and then select them when configuring your Web and DNS policies12. When you add or edit a destination list, the changes are applied immediately if the destination list is part of a policy3. This means that any identities that are associated with the policy will be affected by the changes in the destination list. You do not need to save the configuration or remove the destination list from the policy to apply the changes. However, you do need to have the appropriate user role to manage destination lists. The user role of Block Page Bypass or higher is needed to perform these changes4. References :=

Manage Destination Lists - Umbrella User Guide

Manage Destination Lists - Umbrella SIG User Guide

Add a Destination List - Umbrella User Guide

Add a DNS Destination List - Umbrella SIG User Guide

P2, P3, and P6 only. Dynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network and prevents ARP spoofing attacks. DAI relies on the DHCP snooping database to verify the IP-to-MAC bindings of hosts on the network. DAI operates on untrusted ports, which are ports that connect to hosts or devices that generate ARP traffic. Trusted ports are ports that connect to other switches or routers that do not generate ARP traffic.

In this scenario, the DHCP snooping database resides on router R1, which means that switch SW2 needs to trust the port P3 that connects to R1. This way, SW2 can receive the DHCP snooping information from R1 and populate its own database. The port P4 that connects to switch SW3 also needs to be trusted, because SW3 does not generate ARP traffic. The ports P2 and P6 that connect to hosts P6 and P7 need to be untrusted, because they generate ARP traffic and need to be validated by DAI. The port P1 that connects to host P5 does not need to be configured as untrusted, because DAI is not enabled on switch SW1.

To understand the concept of DAI and how to configure it, you can refer to the following sections of the source book:

Section 1.1.2: Describe the concepts of network security

Section 1.1.2.8: Describe the concepts of DAI

Section 1.1.2.9: Describe the concepts of DHCP snooping

Section 1.1.2.10: Describe the concepts of trusted and untrusted ports

Section 1.1.2.11: Describe the concepts of DAI configuration

The result of using this authentication protocol in the configuration is that the authentication and authorization requests are grouped in a single packet. This is because the configuration uses RADIUS as the AAA protocol, which combines both authentication and authorization functions in one process. RADIUS is facilitated through AAA and can be enabled only through AAA commands. The aaa new-model global configuration command enables AAA, and the radius-server host command specifies the IP address and the shared secret key of the RADIUS server. The aaa authentication command defines the method list for RADIUS authentication, and the aaa group server command defines the group name and the members of the group. The line and interface commands enable the defined method list to be used. When a user tries to access the router, the router sends a single Access-Request packet to the RADIUS server, which contains the user credentials and other attributes. The RADIUS server then verifies the credentials and returns either an Access-Accept packet, which grants access and may include authorization information, or an Access-Reject packet, which denies access. Therefore, the correct answer is D. References:

Security Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst …

Configuring Basic AAA on an Access Server - Cisco

AAA Server Priority explained with New Radius Server Command Line

Configuring AAA on Cisco Devices – RADIUS and TACACS+ - Study-CCNA

Explanation

Explanation

The Application Visibility and Control (AVC) engine lets you create policies to control application activity on the network without having to fully understand the underlying technology of each application. You can configure application control settings in Access Policy groups. You can block or allow applications individually or according to application type. You can also apply controls to particular application types.

 Cl/CD pipelining is a method of software development that aims to deliver software faster and more reliably by automating the process of integrating, testing, and deploying code changes. Cl stands for continuous integration, which means that every code change is merged into a shared repository and verified by automated tests. CD stands for continuous delivery, which means that the code is always in a deployable state and can be released to production environments with minimal human intervention. Cl/CD pipelining enables developers to collaborate more effectively, detect and fix errors earlier, and deliver value to customers more frequently. Cl/CD pipelining is a key practice of DevOps, a culture and set of processes that bridge the gap between development and operations teams. References: 

https://www.redhat.com/en/topics/devops/what-cicd-pipeline

https://about.gitlab.com/topics/ci-cd/cicd-pipeline/

To deploy Cisco WSA in transparent mode, the configuration component that must be used is WCCP on switch. WCCP stands for Web Cache Communication Protocol, which is a protocol that allows a network device (such as a switch) to redirect web traffic to a proxy server (such as Cisco WSA) transparently. This means that the client does not need to configure any proxy settings on the browser, and the proxy server can intercept and process the web requests and responses without the client’s knowledge. WCCP can also provide load balancing and failover capabilities for multiple proxy servers.

The other options are incorrect because they are not required or relevant for transparent mode deployment. Option A is incorrect because MDA (Multilink PPP Dial Access) is a feature that allows multiple physical links to be aggregated into a single logical link for dial-up connections. It has nothing to do with transparent mode. Option B is incorrect because PBR (Policy-Based Routing) is a feature that allows routing decisions to be based on criteria other than the destination IP address, such as source IP address, protocol, port, etc. It is not necessary for transparent mode, as WCCP can handle the traffic redirection. Option D is incorrect because DNS resolution on Cisco WSA is not a configuration component, but a function that allows the proxy server to resolve domain names to IP addresses. It is not specific to transparent mode, as it is also used in explicit mode. References:

What is the difference between transparent and forward proxy mode?

User Guide for AsyncOS 12.7 for Cisco Web Security Appliances - LD (Limited Deployment) - Acquire End-User Credentials

Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP?

the file to Cisco Threat Grid for dynamic analysis. Cisco Threat Grid is a cloud-based service that provides malware analysis and threat intelligence. It can analyze suspicious files and URLs, and provide detailed reports on the behavior, indicators, and severity of the threat1. By sending the file to Cisco Threat Grid, the custom file policy can leverage the dynamic analysis results to detect the file as an indicator of compromise, and prevent other endpoints from executing the infected file. The other options are not correct because they do not address the root cause of the problem, which is the lack of detection by the custom file policy. Creating an IP block list, blocking the application, or uploading the hash for the file may help to mitigate the attack, but they do not ensure that the custom file policy is functioning as it should. References:

2: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 - Module 5: Endpoint Protection and Detection

3: Cisco AMP for Endpoints User Guide - Custom Detection Lists

4: Cisco AMP for Endpoints User Guide - File Analysis and Cisco Threat Grid

1: Cisco Threat Grid - Overview

Cisco FMC is the centralized management solution for Cisco FTD appliances. It provides configuration, monitoring, analysis, and reporting capabilities for FTD devices. Cisco FMC can also manage Cisco ASAs that have been converted to FTD devices. Cisco FMC can be deployed as a physical or virtual appliance, or as a cloud service (CDO). However, since the organization does not have a local VM, CDO is not an option. Cisco FDM is the on-box management solution for FTD devices, which does not support centralized management or ASA migration. CSM is the legacy management solution for Cisco ASAs, which does not support FTD devices. References :=

Some possible references are:

Cisco Firepower Management Center Configuration Guide, Version 6.7

Install and Upgrade FTD on Firepower Appliances

Firepower Threat Defense simplifies application security

Configuring the IEEE 802.1X Flexible Authentication feature to support Layer 3 authentication mechanisms involves adding MAC Authentication Bypass (MAB) into the switch configuration. This allows devices that do not support 802.1X to be authenticated using their MAC address. Once MAB identifies the device, it can then be redirected to a Layer 3 device for further authentication, thus providing a mechanism to support devices requiring Layer 3 authentication methods.

Explanation

Answer B is not correct because Cross-site Scripting (XSS) is not a brute force attack.

Answer C is not correct because the statement “Cross-site Scripting is when executives in a corporation are attacked” is not true. XSS is a client-side vulnerability that targets other application users.

Answer D is not correct because the statement “Cross-site Scripting is an attack where code is executed from the server side”. In fact, XSS is a method that exploits website vulnerability by injecting scripts that will run at client’s side.

Therefore only answer A is left. In XSS, an attacker will try to inject his malicious code (usually malicious links) into a database. When other users follow his links, their web browsers are redirected to websites where

attackers can steal data from them. In a SQL Injection, an attacker will try to inject SQL code (via his browser) into forms, cookies, or HTTP headers that do not use data sanitizing or validation methods of GET/POST

parameters.

Note: The main difference between a SQL and XSS injection attack is that SQL injection attacks are used to steal information from databases whereas XSS attacks are used to redirect users to websites where attackers can steal data from them.